js-crypto-hkdf
Universal Module for HKDF (Hash-based Key Derivation Function) in JavaScript
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Established publisher with strong track record; missing gitHead reflects a publish environment change, not a security concern for this package. | ai | |
| source-diff | obfuscated-file:dist/test.bundle.js | AI (source-diff): dist/test.bundle.js is a webpack-bundled test artifact (karma/browser tests). Long lines are standard webpack bundle output, not obfuscation or malicious code. | ai | |
| source-diff | net-exec-file:dist/test.bundle.js | AI (source-diff): The net+exec pattern in test.bundle.js is webpack's standard module loader (modules[moduleId].call) combined with test utilities. Not a dropper/loader pattern. | ai | |
| provenance | no-provenance | AI (provenance): Established package with trusted publisher history; lack of Sigstore attestation is a process gap, not a security risk for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-regenerator | AI (phantom-deps): Babel transform plugin used at build time; phantom-dep finding is a stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/jschkdf.bundle.min.js | AI (source-diff): The flagged file is a standard webpack UMD bundle for a browser crypto library. The 'network calls' are require('crypto') and the 'dynamic execution' is webpack's module loader pattern — not malware indicators for this package. | ai | |
| source-diff | obfuscated-file:dist/jschkdf.bundle.js | AI (source-diff): This is standard webpack production minification output, consistent with the package's build scripts. The content is recognizable crypto/utility library code, not malicious obfuscation. | ai |
Versions (showing 41 of 41)
| Version | Deps | Published |
|---|---|---|
| 1.0.7 | 5 / 0 | |
| 1.0.6 | 4 / 0 | |
| 1.0.5 | 4 / 0 | |
| 1.0.4 | 4 / 0 | |
| 1.0.3 | 4 / 0 | |
| 1.0.2 | 4 / 0 | |
| 1.0.1 | 4 / 0 | |
| 1.0.0 | 4 / 0 | |
| 0.7.3 | 4 / 0 | |
| 0.7.2 | 4 / 0 | |
| 0.7.1 | 4 / 0 | |
| 0.7.0 | 4 / 0 | |
| 0.6.4 | 4 / 0 | |
| 0.6.3 | 4 / 0 | |
| 0.6.2 | 4 / 0 | |
| 0.6.1 | 4 / 0 | |
| 0.6.0 | 4 / 0 | |
| 0.5.4 | 4 / 0 | |
| 0.5.3 | 4 / 0 | |
| 0.5.2 | 4 / 0 | |
| 0.5.0 | 4 / 0 | |
| 0.4.9 | 4 / 0 | |
| 0.4.8 | 4 / 0 | |
| 0.4.7 | 4 / 0 | |
| 0.4.6 | 4 / 0 | |
| 0.4.4 | 4 / 0 | |
| 0.4.3 | 4 / 0 | |
| 0.4.2 | 5 / 0 | |
| 0.4.1 | 4 / 0 | |
| 0.4.0 | 4 / 29 | |
| 0.3.4 | 4 / 27 | |
| 0.3.3 | 4 / 27 | |
| 0.3.2 | 4 / 27 | |
| 0.3.1 | 4 / 23 | |
| 0.3.0 | 4 / 23 | |
| 0.2.4 | 4 / 23 | |
| 0.2.3 | 4 / 23 | |
| 0.2.2 | 4 / 23 | |
| 0.2.1 | 4 / 23 | |
| 0.2.0 | 4 / 23 | |
| 0.1.0 | 3 / 24 |
v1.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kurihara.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kurihara.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kurihara.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kurihara.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kurihara.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.